[Dshield] Mangled traffic and its effects on IDS performance
cef at optus.net
Wed Apr 11 03:53:21 GMT 2007
On Wednesday 11 April 2007 00:02, Pete Cap wrote:
> Packet analysis with wireshark shows that about 1/3 of the packets, at any
> given time, are dupes, transmitted out-of-order, are truncated, etc.
> Basically, it's pretty mangled. If you look at transmission times, about
> half the traffic is fine, and about 1/3 is very, very slow. So, in
> statistical terms, it's like there are two distributions.
Re: the dupes...
Find both the source and the destination, and from the source (or as close to
it as possible) check the turn-around time to the destination.
I've had cases where long turn-around times on a combination of a wireless
network and a VPN caused a number of dupes simply because one of the TCP
stacks was optimised to resend packets if there was no ACK within a short
time period (it was expecting a fast LAN environment). You may find that the
transmission time is just a few milliseconds too long, and some simple
tweaking might reduce the dupe overhead. It won't fix all of the slowness,
but it will reduce the number of dupes on the pipe, which means more time
will be free for valid data transmission rather than errornous
BTW: Remember that every OS handles this sort of thing differently, and not
all of them obey standards, mainly because while standards are a nice idea,
sometimes they are impractical for the application at hand. This is not to
say that that I approve of breaking standards, but that I can see "why" they
are doing it. Of course, when you get everyone changing things about, the
chances of hitting a problem increases.
I'd also try classifying the data into destination/protocol/port groups, and
see if there is any correlation between the groups and the amount of dupe/tx
OoO/truncated traffic in each group. This will give you a better insight into
just what is causing the problem and what is going on.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list